For Incident Response

Cyber Intel

Call: 702-347-0000

Email: IR@bladeone.com

Contact

OEM Mandate: Mercedes-Benz and the Information Security Shift

by | Jan 22, 2026 | Cyber News

OEM Mandate: Mercedes-Benz and the Information Security Shift

The pressure on dealerships is no longer just coming from the FTC. The manufacturers (OEMs) are now stepping in with formal cybersecurity requirements. Mercedes-Benz has announced that its dealer network must implement a qualified information security program by September 30, 2026.

What Mercedes-Benz Actually Requires

For dealers, Mercedes-Benz is NOT mandating ISO 27001 certification exclusively. The requirement offers flexibility:

Accepted Standards:

  • ISO 27001 – The internationally recognized ISMS framework (full certification)
  • TISAX Level 2 – An automotive-specific standard often described as a ‘lighter lift’ for retail operations
  • Equivalent recognized programs – Other certifications meeting similar rigor

This flexibility acknowledges that full ISO 27001 certification can be resource-intensive for smaller dealer operations, while TISAX Level 2 provides automotive-specific controls without the overhead of a full ISMS implementation.

For Suppliers: A Different (Older) Standard

Mercedes-Benz has maintained separate, long-standing information security requirements for suppliers handling sensitive data (prototypes, development info, production data). These requirements reference ISO 27001 as a benchmark and accept TISAX, SOC 2 Type II, or equivalent certifications as proof of compliance.

Why ISO 27001 or TISAX?

While the FTC Safeguards Rule is a regulatory floor, frameworks like ISO 27001 and TISAX represent industry best practices. They provide:

  • Structured Risk Management: Documented processes for identifying and mitigating threats
  • Third-Party Validation: Independent audits proving your program works
  • Supply Chain Trust: Assurance to OEMs that their data and brand are protected

The Domino Effect

When one major OEM makes a move like this, others follow. BMW, Volkswagen Group, and other German OEMs already leverage TISAX for their supplier networks. Expect similar dealer requirements from other manufacturers.

OEMs are terrified of a ‘Downstream Breach’ – where a hacker enters the OEM’s corporate network through a vulnerable dealer’s VPN connection. The CDK Global attack proved this risk is very real.

Getting Ahead of the Curve

If you wait for your OEM to mandate these standards, you will be in a mad scramble to comply. By building a program based on recognized frameworks now, you won’t just meet the FTC’s requirements; you’ll be ready for any OEM audit that comes your way.

Key Deadline: September 30, 2026 for Mercedes-Benz dealers

Note: Requirements vary by OEM and may change. Consult your manufacturer’s dealer communications portal for the most current contract-specific details.

Written by Scott Sailors

Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.
More Posts by Scott

Related Posts